For business the cloud too often remains a murky territory where they lose visibility over how their assets are protected and questions of security and legal liability become increasingly blurred.
A recent Microsoft survey showed 45 percent of SMEs are worried about ‘their lack of control over data in the cloud’ which is feeding fears over regulatory compliance and data security. In another survey, Seven in 10 businesses didn’t believe cloud providers complied with data protection laws and many didn’t trust them to secure their data. This is denting confidence in the industry and stopping SMEs from utilising the benefits of a pay-as-you-go pool of IT resource that can be seamlessly scaled up and down with need.
Yet many business concerns over the cloud are based less on knowledge and more on fear of the unknown. A third survey painted a startling picture of a business community with little oversight over its own cloud usage; 62 percent of businesses were unsure that they have even vetted their cloud services for security with 63 percent admitting to a ‘lack of vigilance in conducting audits or assessments’ of cloud services. Increasingly, cloud services are treated as a giant ‘shadow IT’ structure that exists parallel to the business but beyond its visibility and control.
So why are many businesses putting vital data in cloud platforms without doing due diligence?
We have to move away from the perception that outsourcing data means giving away control and oversight over how it is secured, a perception that is harming trust in the industry. One of the things businesses can do to take control of cloud security is simply ask the right questions before signing a contract.
For example SMEs that need to protect their intellectual property in multi-tenant clouds should mandate that cloud providers implement Brewer & Nash’s ‘Chinese wall model’ (which guarantees that data from one cloud tenant is off-limits to competitors) while companies storing mission-critical apps in the cloud should make sure service level agreements guarantee minimum uptime. As ISC2’s White Paper Security in the Skies explains, SMEs who fail to do due diligence before migrating to the cloud are left legally and financially exposed to the security practices of cloud providers.
Since cloud vendors are competing to be trusted as custodians of business fortunes, the industry has to be transparent with customers about how it will protect them. With no agreed gold standard on data security, vendors should at least inform prospective customers of their safeguards, security accreditations, and track record on data protection.
We also need more honesty from the industry when things go wrong. Cloud providers are forever promising transparency over how many GCHQ snooping requests they get, but SMEs-who are more worried about IP thieves than Government spies would prefer that cloud providers were more transparent with their customers about new vulnerabilities or data breaches.
Cloud providers must open up their inner workings and risk profile to businesses so they can be easily audited on a regular basis. And SMEs should require that they are notified within 24 hours of a critical data breach that could affect their business. If we are to restore trust in the industry, the cloud must be transformed from a black box into a glass house that tenants can see into at any time.
Dr Adrian Davis, European MD (ISC)2